Outlook for iOS and Android Deliver Potential Security Concerns
At a time when cyber-attacks are becoming more and more frequent, protecting your company’s information is of the utmost importance, which is why Eze Castle Integration is advising clients to hold-off on downloading Microsoft’s Outlook for IOS and Android.
In December 2014, Microsoft acquired tech company, Acompli, which was known for their mobile mail application. Now in 2015, Microsoft has rebranded the app as an Outlook application for IOS and Android phones. While the product has done well and has a following, many are wary of certain procedures and features that could compromise information moving forward.
How Does It Work?
The application uses ActiveSync (EAS), for the majority of users, and OWA, for advanced functionality. EAS grabs information from Exchange, which then is processed and pushed to the clients. However, each step of the process has potential complications. The platform includes email, calendar features, attachment integration with OneDrive, Dropbox, Google Drive, Box and iCloud, and customization.
To set up the application you must give your login information so the app can link to your account. It then stores this data, meaning your credentials are held somewhere in a cloud. The only exception being Gmail users, which requires OAuth authorization. Microsoft uses AWS IP to constantly monitor the account in order to notify you, the user.
However, they don’t ask your permission before storing your login information and don’t state where they are holding your credentials.
Trial users have reported that even after deleting the application, as soon as they uploaded the app again, information was being pushed to their mobile devices prior to re-entering login credentials. This presents a serious cybersecurity issue, as the location and magnitude of information being saved is unknown.
What Are They Storing and Where?
It appears they are storing login information as well as some personal data. For example, as stated in Acompli’s privacy and securities policy,
“Some user data are retained in Acompli system during the lifetime of a user account, always encrypted at rest. A user can choose to completely purse his/her account from the mobile app, in which case all user data will be wiped clean throughout the Acompli system, from both the mobile device and the server farm.”
This isn’t the only time private information that is held on outside servers. Their policy also states that,
”The service retrieves the calendar data and address book contacts associated with your email account and securely pushes those to the app on your device. Those messages, calendar events, and contacts, along with their associated media, may be temporarily stored and indexed securely both in our servers and locally on the app on your device.”
At this point, Microsoft has simply rebranded this product, meaning this is still the process that information goes through before it sits in your inbox. This again is a security issue for companies as they don’t know which information is being stored by Acompli.
In the exchange process, the data is stored on cloud servers in the United States before being pushed to your mailbox. For non-US users this has the potential to introduce data sovereignty and regulatory concerns.
Additional Reasons to Give Pause
A few other concerns:
Currently missing is the ability to enforce PIN locks at the device and application levels; wipe the device after maximum failed password attempts; and force activity time-out limits that require users to re-enter their PIN after a certain amount of time.
Built in connectors to OneDrive, Dropbox, and GoogleDrive potentially allow the easy sharing of confidential company files or access to malicious files. This is an added issue that could compromise information.
While some believe that the negative hype is just that, hype; it may be better security wise to wait and see what updates and changes Microsoft will make for the future before installing the application.